[Mimedefang] CLSID extension vulnerabilities

Michael McCarthy m.mccarthy at psy.uq.edu.au
Wed May 22 20:40:28 EDT 2002


GFI have an interesting email security system test 
(http://www.gfi.com/emailsecuritytest/) if you want to test out your 
mimedefang-filter against a few of the more esoteric Windows exploits.

In particular it sends a test attachment with a CLSID extension

eg. viewthis.jpg.{73a4c9c1-d68d-11d0-98bf-00a0c90dc8d9}

Regardless of its Folder options View settings, Explorer displays the 
filename as viewthis.jpg even though it could be an executable object (in 
their demo it is and it creates a file on your desktop).

The point is that my mimedefang-filter didn't block this attachment. I'd 
suggest modifying filter_bad_filename in the sample filter to


sub filter_bad_filename {
     my($entity) = @_;
     return re_match($entity, 
'\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs?|vxd|wsc|wsf|wsh|\{[a-f0-9-]+\})');
}

Cheers


-
================
Michael McCarthy
IT Manager
School of Psychology
The University of Queensland
+617 3365 6687




More information about the MIMEDefang mailing list